Add openweathermap key via sops

.sops.yaml

@@ -0,0 +1,13 @@
+# This example uses YAML anchors which allows reuse of multiple keys
+# without having to repeat yourself.
+# Also see https://github.com/Mic92/dotfiles/blob/master/nixos/.sops.yaml
+# for a more complex example.
+keys:
+  - &skinnyv age1p76577kkfttxxj8ckwwkhyhhz7qq2d7qf2lenyaa0g3v2gd3eecqhhf9jn
+  - &bolty age1msgz4lzqj3wd4yu3mfgxyl5gz0y94al59njv8fqu7s0dvwt9yuvsctlhvu
+creation_rules:
+  - path_regex: /[^/]+\.yaml$
+    key_groups:
+    - age:
+      - *skinnyv
+      - *bolty

README.md

@@ -145,6 +145,8 @@ reboot
 cd ~/dev/dotfiles/
 nixos-install --flake '.#'
 ssh-keygen -t ed25519
+ssh-to-age -private-key -i ~/.ssh/id_ed25519 > ~/.config/sops/age/keys.txt
+age-keygen -y ~/.config/sops/age/keys.txt #add result to .sops.yaml
 # syncthing
 # vault
 # firefox sync

nixos/home-manager/cli.nix

@@ -7,6 +7,7 @@
       ext.pass-audit
       ext.pass-update
     ]))
+    age
     aria
     bfg-repo-cleaner
     binutils
@@ -40,6 +41,8 @@
     restic
     ripgrep-all
     rustup
+    sops
+    ssh-to-age
     tmux
     topgrade
     unzip

nixos/home-manager/scripts/download.nix

@@ -1,13 +1,11 @@
 { config, pkgs, ... }:
 
 let
-  download = pkgs.writeTextFile {
-    name = "download";
-    executable = true;
-    destination = "/bin/download";
-    text = ''
+  download = pkgs.writeShellScriptBin "download" ''
     ${pkgs.aria}/bin/aria2c -x 16 -s 16 $@
   '';
-  };
 
-in { home.packages = with pkgs; [ download ]; }
+in {
+
+  home.packages = with pkgs; [ download ];
+}

nixos/i3/default.nix

@@ -1,5 +1,5 @@
 { config, pkgs, ... }: {
-  imports = [ ./autorandr.nix ];
+  imports = [ ./autorandr.nix ./openweathermap-secrets.nix ];
   environment.systemPackages = with pkgs; [ dconf ];
   programs.dconf.enable = true;
 

nixos/i3/openweathermap-fullfeatured.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 
-source $HOME/.open-secrets.sh
+OPENWEATHERMAP_KEY=`cat /run/secrets/openweathermap-api-key`
 
 KEY="$OPENWEATHERMAP_KEY"
 CITY=""

nixos/i3/openweathermap-secrets.nix

@@ -0,0 +1,12 @@
+{ config, pkgs, ... }:
+
+{
+  sops.age.keyFile = /home/cyryl/.config/sops/age/keys.txt;
+  sops.secrets.openweathermap-api-key = {
+    mode = "0440";
+    owner = config.users.users.cyryl.name;
+    group = config.users.users.cyryl.group;
+    sopsFile = ./openweathermap.sops.yaml;
+  };
+  home-manager.users.cyryl = { home.sessionVariables = { }; };
+}

nixos/i3/openweathermap.sops.yaml

@@ -0,0 +1,30 @@
+openweathermap-api-key: ENC[AES256_GCM,data:NNeVpkLxM9xDxV0oskAoUPjH6b3V8K3MfnNOOAEtg0k=,iv:0uOxqjmUvslHH7yyKJuZ9h0tY20BUmqr7zsRSX2AjBc=,tag:1rJHeWtct6pph58U9Nalkw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1p76577kkfttxxj8ckwwkhyhhz7qq2d7qf2lenyaa0g3v2gd3eecqhhf9jn
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByMXQzL3JVaTBOL0U3MlFm
+            d0tjUE9abDVUR2dVbHlBQ1diSWRRWUVnalVvCnNQbWZUUmJ3TFFpL0x6c0lQV3hx
+            UW5IU28xdlp6Mi9OdU9UNmFuRWRKWmsKLS0tIG9GUFNLblphdHdmMXFQbzJmSjBN
+            TVZMTWJCd1lyZU1tNFZJQTBhT0lGZTgKKM0mC1k7YsEBaogB4Y7TEhGliU/lbETQ
+            DuZ59BaXpOy9wzQ62m3oAhubP/cQZVOp1rH094BVdQqfNnDB4+F9xg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1msgz4lzqj3wd4yu3mfgxyl5gz0y94al59njv8fqu7s0dvwt9yuvsctlhvu
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3ekZTVjhnaUJkbS9tdm9w
+            cnJQYXpYbTVjOFhCMmFaQmdERCtzS1NBSlRzCnZpYUpGa01QRElhaDdaLzRtY0sy
+            UXQrU1hJRnlNNlJWME1NWWdPbG5rcjQKLS0tIHVmY2lHZ3NDR2FTZmRpSjhkM0FG
+            L0IzUmQvNS9PT2hXYUNYL1hoRVgyQTgKdJs/VaS7G076v2CPoGz71yjeQsu19GCZ
+            pIThhU9ppGJvgo1eD0kQFeNHwHB4Wg1jN38d/KoC5A0vWYWmk+Hhng==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-06-04T08:35:33Z"
+    mac: ENC[AES256_GCM,data:Rne0FsSpBMOPSdwDryFtB9ui7hSxvbJMz1+Qkq3Ih1HYBdVuIldyWsoJK7D8wvAl2E/z3MMk/vBoYQUmkhuzZorqiseuFix6sAZBps08R9ZG1t7uJbHuU9Bt2/ebX3n2ZQXgWkPX06eglmqbqzE+WS/yzUxu/KGYa3aqpv2COt4=,iv:+ginG0RSy8aacTHwKnjO17XKkBU4iY5YzAcIovBIaTU=,tag:yyTxDGqK2BI1QNv+vg2ZqQ==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3